Key differences between PCI-DSS and PA-DSS.

Both the Payment Application Data Security Standard (PA-DSS) and the Payment Card Industry Data Security Standard (PCI-DSS) are standards that organizations must follow to protect credit card information and secure payment gateways.

The distinction is simple:

PCI-DSS applies to all businesses that store, process, or transmit cardholder data, whereas PA-DSS pertains to vendors that create and offer online payment system.

PA-DSS and PCI are both compliance standards developed by the Payment Card Industry Security Standards Council (PCI SSC), an industry regulatory organization comprised of five credit card brands: Visa, Mastercard, Discover, American Express, and JCB.

Financial institutions, retailers, processing firms, software developers, and point-of-sale suppliers round out the board. The PCI SSC maintains and updates the PCI set of standards.

These standards offer merchants who take credit cards and service providers with a set of rules meant to secure credit card data while it travels over electronic networks as part of the acceptance process.

The Payment Card Industry Data Security Standard is the major industry compliance standard (PCI DSS).

While merchants and service providers are not required by law or regulation to implement PCI standards, the major card brands do require their usage through the banks and other companies that handle all credit card transactions.

Failure to comply with the appropriate requirements may result in a merchant being unable to accept credit card transactions at all, as well as the financial consequences of such a suspension.

As a result, all merchants must adhere to PCI requirements without exception.

The PCI SSC has established a set of 12 criteria for PCI compliance. The following are the requirements:

1. Install and maintain a firewall setup to safeguard cardholder information.
2. Use vendor-supplied settings for system passwords and other security parameters at your own risk.
3. Safeguard stored cardholder data.
4. Encrypt cardholder data transfer across open, public networks.
5. Protect all computers from viruses and update anti-virus software or applications on a regular basis.
6. Secure systems and apps must be developed and maintained.
7. Limit access to cardholder data to those with a business need-to-know.
8. Identify and authenticate access to system components.
9. Limit physical access to cardholder data.
10. Keep track of and monitor all network resource and cardholder data access.
11. Security systems and processes should be tested on a regular basis.
12. Maintain a policy that covers information security for all workers.

There are a total of 281 directives contained under these 12 criteria. To be fully compliant, your company must adhere to all objectives that are within its scope.

Compliance takes time:

Up to two years for major retailers and one year for mid-sized and smaller enterprises.

The technique used to assess compliance with PCI standards varies based on the kind of organization and merchant level.

While all merchants are required to complete some degree of yearly assessment, the merchant level determines who does the assessment and to what level of detail the assessment is performed.

PCI-DSS evaluations typically fall into one of three categories:

Qualified Security Assessor (QSA):

A QSA is a third-party assessor who has been certified by the PCI Security Council to undertake PCI assessments. All Level 1 Merchants must be assessed by a QSA.

Internal Security Assessor (ISA):

An ISA is a security assessor that works within the organization that is being evaluated. The PCI Security Council has also certified the ISA to do PCI assessments for their own organization.

Self-Assessment Questionnaire (SAQ):

Lower-level merchants (with fewer transactions) utilize the Self-Assessment Questionnaires to undertake a self-assessment of their compliance.

There are several SAQs available, with the precise SAQ utilized depending on how users use credit cards (i.e., card not present vs. card present, fully outsourced authorizations vs. partially outsourced authorizations).

Payment Application Data Security Standard is abbreviated as PA-DSS.

Its objective is to assist businesses such as software providers in developing secure payment apps that do not retain “prohibited data” such as complete magnetic stripe, PIN data, or CVV2. A PA-DSS Validated Payment Application alone does not ensure PCI DSS compliance, according to the PA-DSS v.3.2 Program Guide.

According to the PCI SSC, the PA-DSS applies to software providers and those that create payment apps that store, process, or transfer cardholder data and/or sensitive authentication data.

The PCI SSC defines 14 criteria and testing processes for each in the “Payment Application Data Security Standard.”

1. Don’t keep the entire magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
2. Safeguard cardholder information that has been saved.
3. Secure authentication features should be available.
4. Keep a record of every payment app activity.
5. Create safe payment apps.
6. Wireless signals should be protected.
7. Payment apps should be tested to identify vulnerabilities and kept up to date.
8. Facilitate the development of a secure network.
9. Never keep cardholder data on a server that is linked to the internet.
10. Allow secure remote access to the payment application.
11. Encrypt important communication on public networks.
12. Secure all non-console administrative access.
13. Maintain PA-DSS instructions, documentation, and training programs for customers, resellers, and integrators.
14. Assign PA-DSS duties to employees and manage training programs for personnel, customers, resellers, and integrators.

Many PA-DSS standards overlap with PCI-DSS regulations.

Stay tuned for more…